CVE-2022-38078
Last modified
CVE-2022-38078 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. EPSS estimates a 1.85% chance of exploitation in the next 30 days.
Description
Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and versions are as follows: Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sixapart | Movable Type | < 1.53 |
| Sixapart | Movable Type | >= 6.0.0, < 6.8.7 |
| Sixapart | Movable Type | >= 7.0.0, < 7.9.5 |
References
- https://jvn.jp/en/jp/JVN57728859/index.htmlThird Party Advisory
- https://jvn.jp/en/jp/JVN57728859/index.htmlThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-38078?
How severe is CVE-2022-38078?
How do I fix CVE-2022-38078?
Are you affected by CVE-2022-38078?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST